Archive

The infamous Flame virus can infect even secure PCs by tricking them into believing its malicious payload is actually an update from Microsoft.

As we already know, Flame has gained traction by tapping into security certificates for Microsoft’s Terminal Server. Though they appear to be digitally signed by Microsoft, the certificates are actually cooked up by the people behind Flame, thereby tricking PCs into accepting them as legitimate.

Microsoft and Symantec revealed yesterday that the virus can up the ante by using the fake certificates to spoof Microsoft’s own Windows Update service. As such, Windows PCs could receive an update that claims to be from Microsoft but is in fact a launcher for the malware.

Symantec described the method behind Flame’s madness: The virus, also known as Flamer, uses three applications to infect PCs — Snack, Munch, and Gadget. Collectively, this trio can trick PCs into redirecting Internet traffic to an infected computer with a fake Web server,. Once infected, a PC thinks the file that loads Flame is actually a Windows Update from Microsoft.

And as Symantec explained in its blog, spoofing Windows Update is not a trivial matter.

Hijacking Windows Update is not trivial because updates must be signed by Microsoft. However, Flamer bypasses this restriction by using a certificate that that chains to the Microsoft Root Authority and improperly allows code signing. So when a Windows Update request is received, the GADGET module through MUNCH provides a binary signed by a certificate that appears to belong to Microsoft.

The unsuspecting PC then downloads and executes the binary file, believing it to be a legitimate Windows Update file, Symantec added. The binary is not the Flame virus itself but a loader for Flame.

“In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack,” Microsoft said. The Flame virus itself has employed a man-in-the-middle attack to steal data, listen in on audio conversations, and take shots of screen activity.

Microsoft has already taken action by issuing a Security Advisory on how to block software signed by the unauthorized certificates, releasing an update to block the rogue certificates, and cutting off the ability of the Terminal Server Licensing Service to issue certificates that allow code to be signed.

To further protect its customers, the software giant is promising to harden its Windows Update service.

“We will begin this update following broad adoption of Security Advisory 2718704 in order not to interfere with that update’s worldwide deployment,” Microsoft said. “We will provide more information on the timing of the additional hardening to Windows Update in the near future.”

Some security experts have downplayed the danger of Flame, claiming it’s not as huge a threat as feared.

“As we continue our investigation of Flame, more and more details appear which indicate our initial statement: this is one of the most interesting and complex malicious programs we have ever seen,” Kaspersky said in a blog yesterday.

April 24, 2012 7:17 PM ET VMware‘s ESX hypervisor source code leak may stem from an attack on a Chinese import-export firm last month in which an anonymous hacker claims to have made off with more than one terabyte of confidential documents.

On Tuesday, Kaspersky Lab‘s Threatpost blog reported the details of its recent IRC conversation with “Hardcore Charlie,” the anonymous hacker who posted the purported VMware ESXsource code online on April 8.

Hardcore Charlie claims to have obtained the VMware ESX source code after breaching the corporate network of the China National Electronics Import-Export Corporation (CEIEC), a Beijing-based firm. He also broke into and stole documents from the networks of China North Industries Corporation (Norinco) WanBao Mining Ltd, Ivanho and PetroVietnam, according to the Threatpost report.

VMware could not be reached for comment.

In a security bulletin issued earlier on Tuesday, VMware warned that a single file from its ESX server hypervisor source code had been posted online and said it is possible that more proprietary files could be leaked.

The leaked ESX code is from the 2003 to 2004 period, and security experts told CRN the potential impact of the breach depends on how much VMware